Segment deduplication system with encryption of segments

ABSTRACT

A system for storing encrypted data comprises a processor and a memory. The processor is configured to receive an encrypted segment. The encrypted segment is determined by breaking a data stream, a data block, or a data file into one or more segments and encrypting each of the one or more segments. The processor is further configured to determine whether the encrypted segment has been previously stored, and in the event that the encrypted segment has not been previously stored, store the encrypted segment. The memory is coupled to the processor and configured to provide the processor with instructions.

BACKGROUND OF THE INVENTION

Segment data duplication storage system store data in a space efficientmanner by only storing a newly received segment in the event that anidentical segment to the newly received segment has not been previouslystored. However, some user of storage systems would like the ability toencrypt data prior to storing in order to ensure security. Encryption,however, typically does not allow an identical segment to be identifiedand thereby eliminating the efficiency of the deduplication system.Also, some deduplication systems would like to use a compression for thedata that is requested to be stored. However, compression typically doesnot allow an identical segment to be identified and thereby eliminatingthe efficiency of the deduplication system.

BRIEF DESCRIPTION OF THE DRAWINGS

Various embodiments of the invention are disclosed in the followingdetailed description and the accompanying drawings.

FIG. 1 is a block diagram illustrating an embodiment of a system forstorage for data.

FIG. 2 is a block diagram illustrating an embodiment of a segmentstorage engine.

FIG. 3 is a block diagram illustrating an embodiment of a storage usersystem.

FIG. 4 is a flow diagram illustrating an embodiment of a process forstoring data.

FIG. 5 is a flow diagram illustrating a process for retrieving data.

FIG. 6 is a block diagram illustrating an embodiment of a storage usersystem.

FIG. 7 is a flow diagram illustrating an embodiment of a process forstoring data.

FIG. 8 is a flow diagram illustrating a process for retrieving data.

FIG. 9 is a block diagram illustrating an embodiment of a storage usersystem.

FIG. 10 is a flow diagram illustrating an embodiment of a process forstoring data.

FIG. 11 is a flow diagram illustrating a process for retrieving data.

FIG. 12A is a block diagram illustrating an embodiment of datastructures.

FIG. 12B is a block diagram illustrating an embodiment of datarelations.

FIG. 13A is a block diagram illustrating an embodiment of datarelations.

FIG. 13B is a block diagram illustrating an embodiment of datarelations.

FIG. 13C is a block diagram illustrating an embodiment of datarelations.

DETAILED DESCRIPTION

The invention can be implemented in numerous ways, including as aprocess; an apparatus; a system; a composition of matter; a computerprogram product embodied on a computer readable storage medium; and/or aprocessor, such as a processor configured to execute instructions storedon and/or provided by a memory coupled to the processor. In thisspecification, these implementations, or any other form that theinvention may take, may be referred to as techniques. In general, theorder of the steps of disclosed processes may be altered within thescope of the invention. Unless stated otherwise, a component such as aprocessor or a memory described as being configured to perform a taskmay be implemented as a general component that is temporarily configuredto perform the task at a given time or a specific component that ismanufactured to perform the task. As used herein, the term ‘processor’refers to one or more devices, circuits, and/or processing coresconfigured to process data, such as computer program instructions.

A detailed description of one or more embodiments of the invention isprovided below along with accompanying figures that illustrate theprinciples of the invention. The invention is described in connectionwith such embodiments, but the invention is not limited to anyembodiment. The scope of the invention is limited only by the claims andthe invention encompasses numerous alternatives, modifications andequivalents. Numerous specific details are set forth in the followingdescription in order to provide a thorough understanding of theinvention. These details are provided for the purpose of example and theinvention may be practiced according to the claims without some or allof these specific details. For the purpose of clarity, technicalmaterial that is known in the technical fields related to the inventionhas not been described in detail so that the invention is notunnecessarily obscured.

A segment deduplication system with encryption of segments is disclosed.The system comprises a processor and a memory. The processor isconfigured to receive and encrypted segment and determine whether theencrypted segment has been previously stored. The encrypted segment isdetermined by breaking a data stream, a data block, or a data file intoone or more segments and encrypting each of the one or more segments. Inthe event that the encrypted segment has not been previously stored, theencrypted segment is stored.

A system for reading encrypted data is disclosed. The system comprises adeduplicated storage device and a processor. The processor is configuredto retrieve one or more encrypted segments from the deduplicated storagedevice. The one or more encrypted segments were determined by breaking adata stream, a data block, or a data file into one or more segments andencrypting each of the one or more segments. The processor is furtherconfigured to decrypt the segments and assemble the segments toreconstruct the data stream, the data block, or the data file.

In some embodiments, a segment deduplication system with compression ofsegments is disclosed. The system comprises a processor and a memory.The processor is configured to receive and compress segments anddetermine whether a compressed segment has been previously stored. Thecompressed segment is determined by breaking a data stream, a datablock, or a data file into one or more segments and compressing each ofthe one or more segments. In the event that the compressed segment hasnot been previously stored, the compressed segment is stored.

In some embodiments, a system for reading compressed data is disclosed.The system comprises a deduplicated storage device and a processor. Theprocessor is configured to retrieve one or more compressed segments fromthe deduplicated storage device. The one or more compressed segmentswere determined by breaking a data stream, a data block, or a data fileinto one or more segments and compressing each of the one or moresegments. The processor is further configured to decompress the segmentsand assemble the segments to reconstruct the data stream, the datablock, or the data file.

In some embodiments, a system for storing encrypted and compressed datais disclosed. The system comprises a processor configured to determinewhether an encrypted compressed segment has been previously stored. Theencrypted compressed segment was determined by breaking a data stream, adata block, or a data file into one or more segments and compressing andthen encrypting each of the one or more segments. In the event that theencrypted compressed segment has not been previously stored, theencrypted compressed segment is stored.

In some embodiments, a system for reading encrypted compressed data. Thesystem comprises a deduplicated storage device and a processor. Theprocessor is configured to decrypt one or more encrypted compressedsegments stored in the deduplicated storage device. The one or moreencrypted compressed segments were determined by breaking a data stream,a data block, or a data file into one or more segments and compressingand then encrypting each of the one or more segments. The processor isfurther configured to decompress the one or more decrypted compressedsegments and assemble the one or more decrypted decompressed segments toreconstruct the data stream, the data block, or the data file.

In some embodiments, encryption of segment(s) provides security for datacontent of the segment(s) during transmission between systems and duringstorage while still providing efficient deduplication storage ofsegment(s). In some embodiments, compression of segment(s) providesbandwidth savings during transmission between systems and storage spacesavings during storage while still providing efficient deduplicationstorage of segment(s).

FIG. 1 is a block diagram illustrating an embodiment of a system forstorage for data. In the example shown, storage system 100 is accessedby a user using storage user system 110 or by storage user system 110via network 108. In various embodiments, network 108 comprises one ormore of a wired network, a wireless network, a local area network, awide area network, the Internet, or any other appropriate network.Storage system 100 comprises system interface 102, segment storageengine 104, and a plurality of storage units (represented in FIG. 1 bystorage unit 112, storage unit 114, storage unit 116, and storage unit118). Storage system 100 is replicated using replica storage system 106.For example, a storage unit is replicated by storing segments andmetadata stored on the storage unit to another storage unit.

Storage user system 110 breaks a file, a data stream, or a data blockinto segment(s) (e.g., boundaries are identified for one or moresegments—for example, a hash function operates on a portion of thecontent of the file; when the hash function is equal to a value, is aminimum value, is a maximum value, is between a minimum and maximumlength, and/or is an extrema value within a window of the file, etc. asegment boundary is determined). Segment boundaries are determined suchthat two similar files, data streams, or data blocks have the goal ofhaving the same segments for identical portions of the files, datastreams, or data blocks, and different segments for the non-identicalportions of the files, data streams, or data blocks. In variousembodiments, the segment determination is based on the content of thedata (e.g., using value(s) calculated based on data content), not basedon the content (e.g., byte count, file criteria, etc.), or a combinationof content based criteria and non-content based criteria. In variousembodiments, storage user system 110 encrypts and/or compresses thesegments. Storage user system 110 sends the segment(s) (e.g., compressedsegments, encrypted segments, compressed encrypted segments, etc.) to bestored by storage system 100 via network 108. In various embodiments,information regarding how to reconstruct the file, the data stream, orthe data block is also sent from storage user system 110 to storagesystem 100 and/or is stored by storage user system 110, or any otherappropriate action for the information.

Storage system 100 receives the segment using system interface 102.Segment storage engine 104 stores the segments in a storage unit (e.g.,storage unit 112, storage unit 114, storage unit 116, or storage unit118). In various embodiments, a storage unit comprises a storage device,multiple storage devices, a portion of a storage device, a hard drive,an array of drives, a semiconductor memory, or any other appropriatestorage unit. Segment storage engine 104 only stores a segment in astorage unit if the segment has not been previously stored in thestorage unit. In some embodiments, an identifier (e.g., a digitalfingerprint, Secure Hash Algorithm hash value, a Rabin hash, etc.) isused for determining whether a segment has been previously stored byseeing if an identical identifier already exists in an index of storedsegments for storage system 100. In various embodiments, the identifierfor a given segment is determined using storage system 100, usingstorage user system 110, or any other appropriate system. In someembodiments, an identifier is sent along with an associated segment fromstorage user system 110 to storage system 100.

Storage user system 110 requests one or more segments that is/are storedon storage system 100 via network 108. Storage system 100 receives therequest using system interface 102. Segment storage engine 104 finds thesegments used to store a file, data stream, or data block in theappropriate storage unit(s). The one or more segments are sent tostorage user system 110 via network 108. Storage user system 110 usesthe one or more segments to reconstruct a file, data stream, or datablock. In various embodiments, the segment(s) are decrypted and/ordecompressed or any other appropriate processing in order to reconstructthe desired file, data stream, or data block.

In various embodiments, encryption, decryption, compression, and/ordecompression systems used are any appropriate systems that arecompatible with a data segment deduplication system—for example, asystem where a given encrypted and/or compressed segment can be used toidentify whether an identical segment that has also been similarlyencrypted and/or compressed has been previously stored.

In various embodiments, hardware and/or software components oraccelerators or one or more processors are used for compression,decompression, encryption, and/or decryption, or any other appropriatecombination of hardware and/or software.

In some embodiments, storage user system 110 is one of a plurality ofstorage user systems and each of the plurality can use different orsimilar compression/decompression and/or encryption systems, and/ordifferent keys for similar encryption systems.

FIG. 2 is a block diagram illustrating an embodiment of a segmentstorage engine. In some embodiments, the system of FIG. 2 is used toimplement segment storage engine 104 of FIG. 1. In the example shown,segment storage engine 200 comprises interface 202, duplicate eliminatorfilter 206, index 210, and segment storage unit interface 212. Segmentstorage engine 200 receives segment(s) using interface 202. Duplicateeliminator 206 identifies whether a newly received segment has alreadybeen stored in segment storage unit(s). Index 210 is used to locatestored segments in storage unit(s) using storage unit interface 212.

Interface 202 receives a request to retrieve segment(s). Interface 202communicates with index 210 to locate appropriate segments stored instorage units via storage unit interface 212. Appropriate segment(s)is/are provided via interface 202 in response to the request. In someembodiments, metadata information is stored associated with asegment—for example, segment identifier, source system, sessioninformation, user information, host information, key information,encryption type, compression information, compression type, formatinformation, pad information, associated file, data stream, or datablock, etc.

FIG. 3 is a block diagram illustrating an embodiment of a storage usersystem. In some embodiments, storage user system 300 of FIG. 3 is usedto implement storage user system 110 of FIG. 1. In the example shown,storage user system 300 comprises storage device 302, storage device304, storage device 306, storage interface 308, data segmenter/datareassembler 310, segment encrypter/segment decrytper 312, interface 314which is coupled to network 320, mapping storage 316, key storage 318,and user interface 322 which is able to be accessed by user 324. User324 is able to request via user interface 322 that a file, data stream,or data block is to be stored. Storage interface 308 receives a file,data stream, or data block to be processed from storage device 302,storage device 304, or storage device 306. In various embodiments,storage interface 308 receives a file, data stream, or data block froman external storage device (not shown in FIG. 3), an external system(not shown in FIG. 3), or any other appropriate internal or externalcomponent, device, or system.

The file, data stream, or data block is processed by data segmenter/datareassembler 310. Data segmenter/data reassembler 310 breaks the file,data stream, or data block into segments. In various embodiments, thefile, data stream, or data block is broken into segments by identifyingsegment boundaries using a content-based technique (e.g., a function iscalculated at various locations of a data item, when the function isequal to a value or when the value is a minimum, a maximum, or otherextrema value relative to other function values calculated for the dataitem), a non-content-based technique (e.g., based on data itemproperty—for example, byte length, title, creation date), or any otherappropriate technique. In various embodiments, a segment is restrictedto a minimum and/or maximum length, to a minimum or maximum number ofsegments per data item, or any other appropriate limitation. Datasegmenter/data reassembler 310 further processes information to indicatethe segment(s) mapping to the file, data stream, or data block so thatthe file, data stream, or data block can be reconstructed from thesegment(s). In some embodiments, a list of fingerprints is used toindicate a mapping of segment(s) that are associated with a file, datastream, or data block. Mapping information is stored using mappingstorage 316.

Segment encrypter/segment decrypter 312 encrypts the segment(s). Theencryption and decryption system is compatible with being able to storethe segment(s) using a deduplication system—for example, there is a oneto one correspondence between a given segment and the encrypted versionof the given segment so that it can be identified by using the encryptedversion of the given segment whether the given segment in its encryptedform has been previously stored. Note that this somewhat degrades thestrength of possible encryption systems that can be used, however theoverall system performance of having an encrypted deduplication systemoutweighs for some applications the selection of encryption system withthe required properties. In various embodiments, encryption systemand/or decryption system comprise(s) a stream cipher (e.g., RivestCipher 4 (RC4), Rivest Cipher 5 (RC5), etc.), a cipher feedback system,electronic code book system, advanced encryption standard (AES), dataencryption standard (DES), or any other appropriate system. In someembodiments, a fixed block cipher system is used by padding a segment toa fixed block size before encrypting or depadding after decrypting.

The encrypted segment is transferred to a system coupled to storage usersystem 300 via interface 314 and network 320.

User 324 is able to request via user interface 322 that a file, datastream, or data block is to be retrieved. Information stored in mappingstorage 316 is used by data segmenter/data reassembler 310 to determinewhich encrypted segment(s) to request to be retrieved from adeduplicating segment storage system (e.g., storage system 100 of FIG.1). The encrypted segment(s) are transferred via network 320 andinterface 314 and decrypted using segment encrypter/segment decrypter312. Segmenter encrypter/segment decrypter 312 uses information storedin key storage 318 to decrypt encrypted segment(s). In variousembodiments, keys stored in key storage 318 are associated with segmentsbased at least in part on one or more of the following: a user, a sourcesystem, a session, or any other appropriate manner of assigning keysassociated with a file, data stream, or data block. Data segmenter/datareassemble 310 reassembles the decrypted segment(s) to restore the file,data stream, or data block. FIG. 4 is a flow diagram illustrating anembodiment of a process for storing data. In the example shown, in 400the data stream(s), data file(s), or data block(s) is/are broken intosegment(s). In 402, segment(s) are encrypted. In 404, encryptedsegment(s) is/are transferred. For example, the encrypted segment(s)is/are transferred from a data user system to a storage system. Invarious embodiments, metadata information is transferred associated withthe encrypted segment(s)—for example, a segment identifier, a sourceidentifier, a user identifier, a host identifier, a session identifier,an encryption type, an encryption key, a format type, a pad type, anassociated file, data stream, or data block, etc. In 406, an encryptedsegment is selected to be processed. In 408, it is determined whetherthe selected encrypted segment has been previously stored.

In some embodiments, a check is performed before transferring theencrypted segment to determine whether the encrypted segment has beenpreviously stored and transfer of the full segment is only performed inthe event that the encrypted segment has not been previously stored.

In the event that the segment has been previously stored, in 410 areference is stored to the previously stored encrypted segment, ifappropriate. For example, a reference is stored in the event that thereference is useful in being able to retrieve the encrypted segment withrespect to retrieving the data stream(s), data block(s), or file(s)associated with the segment that has been encrypted and is determined tobe identical to a previously stored encrypted segment. In someembodiments, the reference is stored in an index that associates amapping between data stream(s), data block(s), or file(s) and thesegment(s) determined from the data stream(s), data block(s), orfile(s). In some embodiments, a reference or indication is transferredto a user storage system.

In the event that the segment has not been previously stored, in 412 theselected encrypted segment is stored. An index entry is storedindicating the location at which the selected encrypted segment isstored. In various embodiments, the index entry comprises digitalfingerprint, a SHA-1 hash, Rabin Hash or any other appropriateidentifier that is used to identify whether an identical segment hasbeen previously stored. In some embodiments, the index entry istransferred to a user storage system.

In 414, it is determined whether the all encrypted segments have beenprocessed. In the event that all the encrypted segments have not allbeen processed, control passes to 406. In the event that all theencrypted segments have all been processed, the process ends.

FIG. 5 is a flow diagram illustrating a process for retrieving data. Inthe example shown, in 500 the stored encrypted segment(s) needed torestore a data file, data stream, or data block are retrieved. In 502,the encrypted segment(s) are transferred. For example, the retrievedsegment(s) are sent from a storage system to a storage user system. In504, the encrypted segment(s) are decrypted. In 506, the data file, datastream, or data block is restored by reassembling the decryptedsegment(s).

FIG. 6 is a block diagram illustrating an embodiment of a storage usersystem. In some embodiments, storage user system 600 of FIG. 6 is usedto implement storage user system 110 of FIG. 1. In the example shown,storage user system 600 comprises storage device 602, storage device604, storage device 606, storage interface 608, data segmenter/datareassemble 610, segment compress/segment decompress 612, interface 614which is coupled to network 620, mapping storage 616, compressionstorage 618, and user interface 622 which is able to be accessed by user624. User 624 is able to request via user interface 622 that a file,data stream, or data block is to be stored. Storage interface 608receives a file, data stream, or data block to be processed from storagedevice 602, storage device 604, or storage device 606. In variousembodiments, storage interface 608 receives a file, data stream, or datablock from an external storage device (not shown in FIG. 6), an externalsystem (not shown in FIG. 6), or any other appropriate internal orexternal component, device, or system.

The file, data stream, or data block is processed by data segmenter/datareassembler 610. Data segmenter/data reassembler 610 breaks the file,data stream, or data block into segments. In various embodiments, thefile, data stream, or data block is broken into segments by identifyingsegment boundaries using a content-based technique (e.g., a function iscalculated at various locations of a data item, when the function isequal to a value or when the value is a minimum, a maximum, or otherextrema value relative to other function values calculated for the dataitem), a non-content-based technique (e.g., based on data itemproperty—for example, byte length, title, creation date), or any otherappropriate technique. In various embodiments, a segment is restrictedto a minimum and/or maximum length, to a minimum or maximum number ofsegments per data item, or any other appropriate limitation. Datasegmenter/data reassembler 610 further processes information to indicatethe segment(s) mapping to the file, data stream, or data block so thatthe file, data stream, or data block can be reconstructed from thesegment(s). In some embodiments, a list of fingerprints is used toindicate a mapping of segment(s) that are associated with a file, datastream, or data block. Mapping information is stored using mappingstorage 616.

Segment compress/segment decompress 612 compresses the segment(s). Thecompression and decompression system is compatible with being able tostore the segment(s) using a deduplication system—for example, there isa one to one correspondence between a given segment and the compressedversion of the given segment so that it can be identified by using thecompressed version of the given segment whether the given segment in itscompressed form has been previously stored. In various embodiments,compression system and/or decompression system comprise(s) a losslesscompression/decompression system, a Huffman coding system, a Lempel-ZivWelch coding system, or any other appropriate system.

The compressed segment is transferred to a system coupled to storageuser system 600 via interface 614 and network 620.

User 624 is able to request via user interface 622 that a file, datastream, or data block is to be retrieved. Information stored in mappingstorage 616 is used by data segmenter/data reassembler 610 to determinewhich compressed segment(s) to request to be retrieved from adeduplicating segment storage system (e.g., storage system 100 of FIG.1). The compressed segment(s) are transferred via network 620 andinterface 614 and decompressed using segment compress/segment decompress612. Segment compress/segment decompress 612 uses information stored incompression storage 618 to decompress compressed segment(s). In variousembodiments, compression information stored in compression storage 618are associated with segments based at least in part on one or more ofthe following: a user, a source system, a session, or any otherappropriate manner of assigning compression information associated witha file, data stream, or data block. Data segmenter/data reassemble 310reassembles the decompressed segment(s) to restore the file, datastream, or data block.

FIG. 7 is a flow diagram illustrating an embodiment of a process forstoring data. In the example shown, in 700 the data stream(s), datafile(s), or data block(s) is/are broken into segment(s). In 702,segment(s) are compressed. In 704, compressed segment(s) is/aretransferred. For example, the compressed segment(s) is/are transferredfrom a data user system to a storage system. In various embodiments,metadata information is transferred associated with the compressedsegment(s)—for example, a segment identifier, a source identifier, auser identifier, a host identifier, a session identifier, an compressiontype, an compressor state, a format type, an associated file, datastream, or data block, etc. In 606, a compressed segment is selected tobe processed. In 608, it is determined whether the selected compressedsegment has been previously stored.

In some embodiments, a check is performed before transferring thecompressed segment to determine whether the compressed segment has beenpreviously stored and transfer of the full segment is only performed inthe event that the compressed segment has not been previously stored.

In the event that the segment has been previously stored, in 710 areference is stored to the previously stored compressed segment, ifappropriate. For example, a reference is stored in the event that thereference is useful in being able to retrieve the compressed segmentwith respect to retrieving the data stream(s), data block(s), or file(s)associated with the segment that has been compressed and is determinedto be identical to a previously stored compressed segment. In someembodiments, the reference is stored in an index that associates amapping between data stream(s), data block(s), or file(s) and thesegment(s) determined from the data stream(s), data block(s), orfile(s). In some embodiments, a reference or indication is transferredto a user storage system.

In the event that the segment has not been previously stored, in 712 theselected compressed segment is stored. An index entry is storedindicating the location at which the selected compressed segment isstored. In various embodiments, the index entry comprises digitalfingerprint, a SHA-1 hash, Rabin Hash or any other appropriateidentifier that is used to identify whether an identical segment hasbeen previously stored. In some embodiments, the index entry istransferred to a user storage system.

In 714, it is determined whether the all compressed segments have beenprocessed. In the event that all the compressed segments have not allbeen processed, control passes to 706. In the event that all thecompressed segments have all been processed, the process ends.

FIG. 8 is a flow diagram illustrating a process for retrieving data. Inthe example shown, in 800 the stored compressed segment(s) needed torestore a data file, data stream, or data block are retrieved. In 802,the compressed segment(s) are transferred. For example, the retrievedsegment(s) are sent from a storage system to a storage user system. In804, the compressed segment(s) are decompressed. In 806, the data file,data stream, or data block is restored by reassembling the decompressedsegment(s).

FIG. 9 is a block diagram illustrating an embodiment of a storage usersystem. In some embodiments, storage user system 900 of FIG. 9 is usedto implement storage user system 110 of FIG. 1. In the example shown,storage user system 900 comprises storage device 902, storage device904, storage device 906, storage interface 908, data segmenter/datareassembler 910, segment compress/segment decompress 912, segmentencrypter/segment decrytper 914, interface 922 which is coupled tonetwork 924, mapping storage 916, compression storage 918, key storage920, and user interface 926 which is able to be accessed by user 928.User 928 is able to request via user interface 926 that a file, datastream, or data block is to be stored. Storage interface 908 receives afile, data stream, or data block to be processed from storage device902, storage device 904, or storage device 906. In various embodiments,storage interface 908 receives a file, data stream, or data block froman external storage device (not shown in FIG. 3), an external system(not shown in FIG. 3), or any other appropriate internal or externalcomponent, device, or system.

The file, data stream, or data block is processed by data segmenter/datareassembler 910. Data segmenter/data reassembler 910 breaks the file,data stream, or data block into segments. In various embodiments, thefile, data stream, or data block is broken into segments by identifyingsegment boundaries using a content-based technique (e.g., a function iscalculated at various locations of a data item, when the function isequal to a value or when the value is a minimum, a maximum, or otherextrema value relative to other function values calculated for the dataitem), a non-content-based technique (e.g., based on data itemproperty—for example, byte length, title, creation date), or any otherappropriate technique. In various embodiments, a segment is restrictedto a minimum and/or maximum length, to a minimum or maximum number ofsegments per data item, or any other appropriate limitation. Datasegmenter/data reassembler 910 further processes information to indicatethe segment(s) mapping to the file, data stream, or data block so thatthe file, data stream, or data block can be reconstructed from thesegment(s). In some embodiments, a list of fingerprints is used toindicate a mapping of segment(s) that are associated with a file, datastream, or data block. Mapping information is stored using mappingstorage 916.

Segment compress/segment decompress 912 compresses the segment(s). Thecompression and decompression system is compatible with being able tostore the segment(s) using a deduplication system—for example, there isa one to one correspondence between a given segment and the compressedversion of the given segment so that it can be identified by using thecompressed version of the given segment whether the given segment in itscompressed form has been previously stored. In various embodiments,compression system and/or decompression system comprise(s) a losslesscompression/decompression system, a Huffman coding system, a Lempel-ZivWelch coding system, or any other appropriate system.

Segment encrypter/segment decrypter 912 encrypts the compressedsegment(s). The encryption and decryption system is compatible withbeing able to store the compressed segment(s) using a deduplicationsystem—for example, there is a one to one correspondence between a givencompressed segment and the encrypted version of the given compressedsegment so that it can be identified by using the encrypted version ofthe given compressed segment whether the given compressed segment in itsencrypted form has been previously stored. Note that this somewhatdegrades the strength of possible encryption systems that can be used,however the overall system performance of having an encrypteddeduplication system outweighs for some applications the selection ofencryption system with the required properties. In various embodiments,encryption system and/or decryption system comprise(s) a stream cipher(e.g., Rivest Cipher 4 (RC4), Rivest Cipher 5 (RC5), etc.), a cipherfeedback system, electronic code book, advanced encryption standard(AES), data encryption standard (DES), or any other appropriate system.In some embodiments, a fixed block cipher system is used by padding asegment to a fixed block size before encrypting or depadding afterdecrypting.

The encrypted compressed segment is transferred to a system coupled tostorage user system 900 via interface 922 and network 924.

User 928 is able to request via user interface 926 that a file, datastream, or data block is to be retrieved. Information stored in mappingstorage 916 is used by data segmenter/data reassembler 910 to determinewhich encrypted compressed segment(s) to request to be retrieved from adeduplicating segment storage system (e.g., storage system 100 of FIG.1). The encrypted compressed segment(s) are transferred via network 924and interface 922 and decrypted using segment encrypter/segmentdecrypter 914. Segmenter encrypter/segment decrypter 914 usesinformation stored in key storage 920 to decrypt encrypted compressedsegment(s). In various embodiments, keys stored in key storage 920 areassociated with segments based at least in part on one or more of thefollowing: a user, a source system, a session, or any other appropriatemanner of assigning keys associated with a file, data stream, or datablock. Segment compress/segment decompress 912 uses information storedin compression storage 918 to decompress decrypted compressedsegment(s). In various embodiments, compression information stored incompression storage 918 are associated with segments based at least inpart on one or more of the following: a user, a source system, asession, or any other appropriate manner of assigning compressioninformation associated with a file, data stream, or data block. Datasegmenter/data reassemble 910 reassembles the decompressed decryptedsegment(s) to restore the file, data stream, or data block.

FIG. 10 is a flow diagram illustrating an embodiment of a process forstoring data. In the example shown, in 1000 the data stream(s), datafile(s), or data block(s) is/are broken into segment(s). In 1002,segment(s) are compressed. In 1003, segment(s) are encrypted. In 1004,compressed encrypted segment(s) is/are transferred. For example, thecompressed encrypted segment(s) is/are transferred from a data usersystem to a storage system. In various embodiments, metadata informationis transferred associated with the compressed encrypted segment(s)—forexample, a segment identifier, a source identifier, a user identifier, ahost identifier, a session identifier, a compression type, a compressorstate, an encryption type, an encryption key, a format type, a pad type,an associated file, data stream, or data block, etc. In 1006, acompressed encrypted segment is selected to be processed. In 1008, it isdetermined whether the selected compressed encrypted segment has beenpreviously stored.

In some embodiments, a check is performed before transferring thecompressed encrypted segment to determine whether the encrypted segmenthas been previously stored and transfer of the full segment is onlyperformed in the event that the compressed encrypted segment has notbeen previously stored.

In the event that the segment has been previously stored, in 1010 areference is stored to the previously stored compressed encryptedsegment, if appropriate. For example, a reference is stored in the eventthat the reference is useful in being able to retrieve the compressedencrypted segment with respect to retrieving the data stream(s), datablock(s), or file(s) associated with the segment that has beencompressed and encrypted and is determined to be identical to apreviously stored compressed encrypted segment. In some embodiments, thereference is stored in an index that associates a mapping between datastream(s), data block(s), or file(s) and the segment(s) determined fromthe data stream(s), data block(s), or file(s). In some embodiments, areference or indication is transferred to a user storage system.

In the event that the segment has not been previously stored, in 1012the selected compressed encrypted segment is stored. An index entry isstored indicating the location at which the selected compressedencrypted segment is stored. In various embodiments, the index entrycomprises digital fingerprint, a SHA-1 hash, Rabin Hash or any otherappropriate identifier that is used to identify whether an identicalsegment has been previously stored. In some embodiments, the index entryis transferred to a user storage system.

In 1014, it is determined whether the all compressed encrypted segmentshave been processed. In the event that all the compressed encryptedsegments have not all been processed, control passes to 1006. In theevent that all the compressed encrypted segments have all beenprocessed, the process ends.

FIG. 11 is a flow diagram illustrating a process for retrieving data. Inthe example shown, in 1100 the stored compressed encrypted segment(s)needed to restore a data file, data stream, or data block are retrieved.In 1102, the compressed encrypted segment(s) are transferred. Forexample, the retrieved segment(s) are sent from a storage system to astorage user system. In 1104, the compressed encrypted segment(s) aredecrypted. In 1106, the decrypted compressed segment(s) is/aredecompressed. In 1108, the data file, data stream, or data block isrestored by reassembling the decompressed decrypted segment(s).

FIG. 12A is a block diagram illustrating an embodiment of datastructures. In the example shown, data item 1200 comprises a datastream, data block, or data file. Data item 1200 is broken into set ofsegments 1210 of variable length. In some embodiments, the segments areof fixed length. Set of segments 1210 comprises one or moresegments—represented in FIG. 12A by S₁, S₂, S₃, S₄, and S_(N).

FIG. 12B is a block diagram illustrating an embodiment of datarelations. In the example shown, a mapping between a data item ID andsegment ID's is depicted—ID_(data) is associated with ID_(segment1),ID_(segment2), ID_(segment3), ID_(segment4), up to ID_(segmentN). Theassociation relationship comprises that data of ID IDdata can bereconstructed or reassembled using a set of segments with ID's of,ID_(segment2), ID_(segment3), ID_(segment4), up to ID_(segmentN). Insome embodiments, data relations of FIG. 12B are stored using mappingstorage (e.g., mapping storage 316 of FIG. 3, mapping storage 616 ofFIG. 6 and/or mapping storage 916 of FIG. 9).

FIG. 13A is a block diagram illustrating an embodiment of datarelations. In the example shown, a mapping between a data item ID andsource ID, user ID, host ID, and format type is depicted. An ID for adata item is associated with a source of source ID (e.g., a systemsource identifier), a user with user ID (e.g., a user identifier thatgenerated, requested to be stored, requested to be retrieved the dataitem), a host with host ID (e.g., a host system associated with a user),and a format of format type (e.g., stream, block, file, backup, raw,tape format, etc.). In various embodiments, any combination of ID's orlack of ID's or other appropriate associated information is mapped withdata item ID. In some embodiments, data relations of FIG. 13A are storedusing mapping storage (e.g., mapping storage 316 of FIG. 3, mappingstorage 616 of FIG. 6 and/or mapping storage 916 of FIG. 9).

FIG. 13B is a block diagram illustrating an embodiment of datarelations. In the example shown, a mapping between a segment ID andencryption type, encryption key, and pad type is depicted. An ID for asegment is associated with an encryption of encryption type (e.g., AES,DES, etc.), a key used for encrypting (e.g., a key comprising 128 bits,256 bits, an alphanumeric string, etc.), and a padding of padding type(e.g., a type of padding added to a variable length segment to achieve adata length compatible with the encryption type, zero pads, data patternpad, etc.). In various embodiments, any combination of encryptionrelated information or other appropriate associated information ismapped with data segment ID. In some embodiments, data relations of FIG.13B are stored using key storage (e.g., key storage 318 of FIG. 3 and/orkey storage 920 of FIG. 9).

FIG. 13C is a block diagram illustrating an embodiment of datarelations. In the example shown, a mapping between a segment ID andcompression type and compressor state is depicted. An ID for a segmentis associated with a compression of compression type (e.g., Huffmancoding system, a Lempel-Ziv Welch coding system, etc.) and a state usedfor compressing (e.g., a key comprising 128 bits, 256 bits, analphanumeric string, etc). In various embodiments, any combination ofcompression related information or other appropriate associatedinformation is mapped with data segment ID. In some embodiments, datarelations of FIG. 13C are stored using compression storage (e.g.,compression storage 618 of FIG. 6 and/or compression storage 918 of FIG.9).

Although the foregoing embodiments have been described in some detailfor purposes of clarity of understanding, the invention is not limitedto the details provided. There are many alternative ways of implementingthe invention. The disclosed embodiments are illustrative and notrestrictive.

1. A system for storing encrypted data, comprising: a processorconfigured to: receive an encrypted segment, wherein the encryptedsegment is determined by breaking a data stream, a data block, or a datafile into one or more segments and encrypting each of the one or moresegments; determine whether the encrypted segment has been previouslystored; in the event that the encrypted segment has not been previouslystored, store the encrypted segment; and a memory coupled to theprocessor and configured to provide the processor with instructions. 2.A system as in claim 1, wherein the breaking the data stream, the datablock, or the data file is based at least in part on one of thefollowing: a content-based technique or a non-content-based technique.3. A system as in claim 1, wherein encrypting comprises encrypting usingone of the following: a stream cipher system, a cipher feedback system,an electronic code book system, an AES system, or a DES system.
 4. Asystem as in claim 1, wherein for a first segment and a second segmentthat is identical to the first segment, an encrypted first segment isidentical to an encrypted second segment.
 5. A method for storingencrypted data, comprising: receiving an encrypted segment, wherein theencrypted segment is determined by breaking a data stream, a data block,or a data file into one or more segments and encrypting each of the oneor more segments; determining, using a processor, whether the encryptedsegment has been previously stored; in the event that the encryptedsegment has not been previously stored, storing the encrypted segment.6. A method as in claim 5, wherein the breaking the data stream, thedata block, or the data file is based at least in part on one of thefollowing: a content-based technique or a non-content-based technique.7. A method as in claim 5, wherein encrypting comprises encrypting usingone of the following: a stream cipher system, a cipher feedback system,an electronic code book system, an AES system, or a DES system.
 8. Amethod as in claim 5, wherein for a first segment and a second segmentthat is identical to the first segment, an encrypted first segment isidentical to an encrypted second segment.
 9. A computer program productfor storing encrypted data, the computer program product being embodiedin a computer readable storage medium and comprising computerinstructions for: receiving an encrypted segment, wherein the encryptedsegment is determined by breaking a data stream, a data block, or a datafile into one or more segments and encrypting each of the one or moresegments; determining, using a processor, whether the encrypted segmenthas been previously stored; in the event that the encrypted segment hasnot been previously stored, storing the encrypted segment.
 10. A systemfor reading encrypted data, comprising: a deduplicated storage device; aprocessor configured to: retrieve one or more encrypted segments fromthe deduplicated storage device, wherein the one or more encryptedsegments were determined by breaking a data stream, a data block, or adata file into one or more segments and encrypting each of the one ormore segments; decrypt the one or more encrypted segments; and assemblethe one or more decrypted segments to reconstruct the data stream, thedata block, or the data file; and a memory coupled to the processor andconfigured to provide the processor with instructions.
 11. A system asin claim 10, wherein the breaking the data stream, the data block, orthe data file is based at least in part on one of the following: acontent-based technique or a non-content-based technique.
 12. A systemas in claim 10, wherein decrypting comprises decrypting using one of thefollowing: a stream cipher system, a cipher feedback system, anelectronic code book system, an AES system, or a DES system.
 13. Asystem as in claim 10, wherein for a first encrypted segment and asecond encrypted segment that is identical to the first encryptedsegment, a decrypted first encrypted segment is identical to a decryptedsecond encrypted segment.
 14. A method for reading encrypted data,comprising: retrieving one or more encrypted segments from adeduplicated storage device, wherein the one or more encrypted segmentswere determined by breaking a data stream, a data block, or a data fileinto one or more segments and encrypting each of the one or moresegments; decrypting, using a processor, the one or more encryptedsegments; and assembling the one or more decrypted segments toreconstruct the data stream, the data block, or the data file.
 15. Amethod as in claim 14, wherein the breaking the data stream, the datablock, or the data file is based at least in part on one of thefollowing: a content-based technique or a non-content-based technique.16. A method as in claim 14, wherein decrypting comprises decryptingusing one of the following: a stream cipher system, a cipher feedbacksystem, an electronic code book system, an AES system, or a DES system.17. A method as in claim 14, wherein for a first encrypted segment and asecond encrypted segment that is identical to the first encryptedsegment, a decrypted first encrypted segment is identical to a decryptedsecond encrypted segment.
 18. A computer program product for readingencrypted data, the computer program product being embodied in acomputer readable storage medium and comprising computer instructionsfor: retrieving one or more encrypted segments from a deduplicatedstorage device, wherein the one or more encrypted segments weredetermined by breaking a data stream, a data block, or a data file intoone or more segments and encrypting each of the one or more segments;decrypting, using a processor, the one or more encrypted segments; andassembling the one or more decrypted segments to reconstruct the datastream, the data block, or the data file.